Package-level declarations
Types
Identification for an API Operation.
Builder for ApiOperationArgs.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": "user:jose@example.com" }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": "user:aliya@example.com" } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com
from DATA_READ logging, and aliya@example.com
from DATA_WRITE logging.
Builder for AuditConfigArgs.
Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": "user:jose@example.com" }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
Builder for AuditLogConfigArgs.
BasicLevel
is an AccessLevel
using a set of recommended features.
Builder for BasicLevelArgs.
Associates members
, or principals, with a role
.
Builder for BindingArgs.
A condition necessary for an AccessLevel
to be granted. The Condition is an AND over its fields. So a Condition is true if: 1) the request IP is from one of the listed subnetworks AND 2) the originating device complies with the listed device policy AND 3) all listed access levels are granted AND 4) the request was sent at a time allowed by the DateTimeRestriction.
Builder for ConditionArgs.
CustomLevel
is an AccessLevel
using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec
Builder for CustomLevelArgs.
DevicePolicy
specifies device specific restrictions necessary to acquire a given access level. A DevicePolicy
specifies requirements for requests from devices to be granted access levels, it does not do any enforcement on the device. DevicePolicy
acts as an AND over all specified fields, and each repeated field is an OR over its elements. Any unset fields are ignored. For example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be true for requests originating from encrypted Linux desktops and encrypted Windows desktops.
Builder for DevicePolicyArgs.
Defines the conditions under which an EgressPolicy matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed.
Builder for EgressFromArgs.
Policy for egress from perimeter. EgressPolicies match requests based on egress_from
and egress_to
stanzas. For an EgressPolicy to match, both egress_from
and egress_to
stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset). EgressPolicies are concerned with the resources that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of EgressFrom and EgressTo.
Builder for EgressPolicyArgs.
Defines the conditions under which an EgressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the resources
specified. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed. The request must match operations
AND resources
fields in order to be allowed egress out of the perimeter.
Builder for EgressToArgs.
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
Builder for ExprArgs.
Builder for GetAccessLevelPlainArgs.
Builder for GetAccessPolicyIamPolicyPlainArgs.
Builder for GetAccessPolicyPlainArgs.
Builder for GetAuthorizedOrgsDescPlainArgs.
Builder for GetGcpUserAccessBindingPlainArgs.
Builder for GetServicePerimeterPlainArgs.
Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the source of the request. The request must satisfy what is defined in sources
AND identity related fields in order to match.
Builder for IngressFromArgs.
Policy for ingress into ServicePerimeter. IngressPolicies match requests based on ingress_from
and ingress_to
stanzas. For an ingress policy to match, both the ingress_from
and ingress_to
stanzas must be matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from outside the perimeter. For example, access from the internet can be allowed either based on an AccessLevel or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required. Individual ingress policies can be limited by restricting which services and/or actions they match using the ingress_to
field.
Builder for IngressPolicyArgs.
The source that IngressPolicy authorizes access from.
Builder for IngressSourceArgs.
Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the target resource of the request. The request must satisfy what is defined in operations
AND resources
in order to match.
Builder for IngressToArgs.
An allowed method or permission of a service specified in ApiOperation.
Builder for MethodSelectorArgs.
A restriction on the OS type and version of devices making requests.
Builder for OsConstraintArgs.
ServicePerimeterConfig
specifies a set of Google Cloud resources that describe specific Service Perimeter configuration.
Builder for ServicePerimeterConfigArgs.
Specifies how APIs are allowed to communicate within the Service Perimeter.
Builder for VpcAccessibleServicesArgs.